Company says that no payment or credit card data has been stolen or leaked.
A screenshot of the Zomato website.
New Delhi: Food and restaurant search engine Zomato’s database has suffered a security breach, with the user records of up to 17 million people having been stolen.
According to Hackread, this database is up for sale on a Dark Web marketplace and includes email IDs and password hashes of millions of Zomato users. The security publication got in touch with a data vendor, who goes by the monker “nclay”, and managed to confirm that some of the IDs up for sale were ones that corresponded to genuine, registered Zomato users.
The company, on Thursday morning, responded to the report and admitted that its security had indeed detected a security breach.
“The stolen information has user email addresses and hashed passwords. The hashed password cannot be converted/decrypted back to plain text – so the sanctity of your password is intact in case you use the same password for other services. But if you are paranoid about security like us, we encourage you to change your password for any other services where you are using the same password,” the company said in a statement.
No payment data
The company, however, stressed that the breach did not impact or compromise any of its users’ payment-related information including bank account details or credit card data.
“Payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked. As a precaution, we have reset the passwords for all affected users and logged them out of the app and website,” the company’s statement said.
How did this security breach happen? At least two people pointed out that currently it looked like an internal security breach: A Zomato employees’ development account apparently may have been compromised.
.The Zomato data breach comes on a wave of security breaches that have hit both private and government parties. Earlier this year, the McDonalds India app was found to have potentially leaked the personal data of nearly 2.2 million users.